Tor Hidden Services 

How Hidden is ‘Hidden’? 



- ICTR Network Expl 
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Tor is an implementation of 2" 1 generation onion routing 
Originally sponsored by the US Naval Research Laboratory 
Later became an Electronic Frontier Foundation proi^^H 
Helps to prevent network traffic analysis & surveillance 1 
Open network with over 2000 nodes 
Anonymity tool 

Uses multiple layers of encryption 



• Multi-hop proxy 
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• General Tor research 

• HOMING TROLL 

- Bridge discovery capability 

• Hidden Services 

• Helped with a few deanonymisation techniques 

• Worked with JTRIG & MCR (Maths & CryptJ^||!fgS 

• Provided support to OP SUPERIORITY 
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What is it used for? 



The Good 

- People living in oppressive countries (circumvent firewalls) 

- Access to free media instead of state propaganda 

- People can say what they want without it being linked Mfflljjj 



The 

- Bot herders use Tor to give instructions to their bots 

- Allows paedophiles access content without linking thems eLves : 

- State actors can launch attacks without being attributable 

- “Anonymous” & LULZSec 
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What do we see? 



Any traffic between the client & tor is heavily encrypted. 



We can only really see traffic from an exit node to a website 

- But we don’t know where this traffic originated from 

Still could link up aliases though 

- ‘Somebody’ could still visit a dodgy forum and log in wifl^lrfi 
send an email using a known target email address (As IHfei 
use SSL). 




Phew... at least there is some intelligence gain.... RiliB2 
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Hidden Services 
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So what do we see now? 



• Not much... 



All Hidden Service traffic is heavily encrypted. 



Most we can gather is that one Tor node talks to anQnm:eiaiiiiBiieme 





• Hiding in the crowd at its best! 
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The dot eem onion BOOM 



• What’s this .onion business? 

- TLD Tor uses to initiate a connection to a hidden service 

• Example onion domain 

- 16 characters in base32 (few characters are actually missing) 

- oqznfi3tdo6nwg3f.onion " 5 

- Tor uses something similar to DNS to resolve an 

- Onion domains ‘resolve’ to 3+ IP addresses called 
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Pieces of the Jig-Saw 



• The actual Hidden Service (HS) 

- Where the service actually originates from 



• User 

- The user who wishes to access the Hidden Service 

1 

• Hidden Service Directory (HSDir) 

- A directory server that hold information on a Hidden Serviji 

• Introduction Point (IPT) 

- Hidden Service’s ‘front door’ / relay 

• Rendezvous Point (RP) 

- Client’s ‘front door’ / relay 
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Fitting it together 



1. HS selects random IPTs 

2. HS uploads descriptor to HSDir 

3. Client finds out about HS 

4. Client requests descriptor from HSDir 

5. Client selects a random RP 

6. Client contacts one IPT 

7. HS replies to RP 

8. RP relays between client and HS 
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Fitting it together 



1. HS selects random IPTs 



2. HS uploads descriptor to HSDir 



3. Client finds out about HS 

4. Client requests descriptor from HSDir 

5. Client selects a random RP 

6. Client contacts one IPT 

7. HS replies to RP 

8. RP relays between client and HS 
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Fitting it together 



1. HS selects random IPTs 



2. HS uploads descriptor to HSDir 



3. Client finds out about HS 



4. Client requests descriptor from HSDir 



5. Client selects a random RP 



6. Client contacts one IPT 



7. HS replies to RP 

8. RP relays between client and HS 



HSDir 



Client 
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4. Client requests descriptor from HSDir 

5. Client selects a random RP 

6. Client contacts one IPT 

7. HS replies to RP 

8. RP relays between client and HS 
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Fitting it together 



1. HS selects random IPTs 

2. HS uploads descriptor to HSDir 

3. Client finds out about HS 

4. Client requests descriptor from HSDir 

5. Client selects a random RP 

6. Client contacts one IPT 

7. HS replies to RP 

8. RP relays between client and HS 
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Fitting it together 



1. HS selects random IPTs 

2. HS uploads descriptor to HSDir 

3. Client finds out about HS 

4. Client requests descriptor from HSDir 

5. Client selects a random RP 

6. Client contacts one IPT 

7. HS replies to RP 

8. RP relays between client and HS 




© Crown Copyright. All rights reserved. This information is exempt from disclosure under the Freedom of Information Act 
2000 and may be subject to expnnnl-inn i inr|pr nthpr I IK information Ipoklation Rpfpr rlkdOSure requests to GCHQ On 

I 

Contains Intellectual Property owned ana/or managed oy uwnersniD uu-iu. i ne material may be disseminated 
Slide 17 throughout the recipient organisation, )L^^CIjlgpQrB9is^enrn9ds^j^)|t^j^|^ dissemination outside the 

nrn^nicAfinn ' * 






Fitting it together 



1. HS selects random IPTs 

2. HS uploads descriptor to HSDir 

3. Client finds out about HS 

4. Client requests descriptor from HSDir 

5. Client selects a random RP 

6. Client contacts one IPT 

7. HS replies to RP 

8. RP relays between client and HS 
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Fitting it together 



1. HS selects random IPTs 

2. HS uploads descriptor to HSDir 

3. Client finds out about HS 

4. Client requests descriptor from HSDir 

5. Client selects a random RP 

6. Client contacts one IPT 

7. HS replies to RP 

8. RP relays between client and HS 
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Possible Exploits? 



Rendezvous Point (RP) 

What if we owned the RP? 

Traffic still encrypted, although only a single layer of encryption 

Still only content, don’t know who the user is or where the HS is located 

Clients randomly select their RP so unlikely to be picked anyway 

Hidden Service Directory (HSDir) 

If we take a HSDir down, there are still many left 

Could potentially collect onion domains if we acted as a HSDir 

Client 

No real way to distinguish between a Tor user accessing the webiflifalPsl 
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Introduction Points (IPT) 

- All Hidden Service IPTs are listed on its descriptor (the thing that’s stored 
on a HSDir) 

- Potential for an attack on IPTs to stop them accepting connections for the 
HS 

- This could be done using a ‘Coil Attack’ 




^/// 




- Doesn’t stop a HS selecting another set of IPTS 

- HS can encrypt their IPTs in their descriptor (bufi^^Ban^^^ 
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• Hidden Service (HS) 

- What about exploiting the HS directly? 






- Potential to identify the IP addresses hidden services 



• But cant really say which one 

- Identified a beaconing pattern from HS 

- Dependant on collection posture 

- Great for PRESTON 
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Idle Client Beacons 
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Idle HS Beacons 
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Summary 



• Tor helps people become anonymous 

• Very naughty people use Tor 

• Hidden Services hide the fact web content even exS 

• Near impossible to figure out who is talking to who 

• Its complicated 

• Some areas for further research 

• Until then... Doesn’t stop us from using them 
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Questions^ 
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